1. 10

The theory of capability based operating systems claims it isn’t as complex as one first might think. I know there are some few Capability based operating systems out there, but why isn’t it mitre popular?

  1. 6

    This has been a subject of discussion between @kyle and I (and some others) a lot lately. The answer is more mixed than you might think if you look at things more broadly than just at the operating system level.

    Object capability ideas have been influencing development of JavaScript with many contributions from Mark Miller and others to ES6. Object capability ideas are also part of what Cap'n Proto is trying to achieve.

    The L4 microkernels have been capability-based designs for a while now, especially with Fiasco.OC and seL4. That said, it isn’t terribly easy to get started building anything with them.

    As pointed out by another user, OS X has been using capabilities more and more. There’s been some motion with Linux and FreeBSD as well (but not nearly to the same extent as far as I’ve seen).

    Applying all of this to an existing OS is not all that easy though. Taming the libraries of a language to enforce POLA and a good object capability model is not terribly easy and has really own been done a couple of times (Joe-E, Emily, etc). I’ve asked the E people for some guidelines on taking on the task of taming a set of libraries and there isn’t really a good distillation of what the know so far in a single approachable form.

    Object capability ideas are definitely starting to see wider adoption, which is great. But it is taking a very long time and will be a very long time before they’re really dominant (if ever). I sometimes wonder what happens if they aren’t well adopted by the time that some of the key people in the field die …

    (I could provide links for some of the above, but I didn’t want to dig them all up before posting. So, ask for links to particular things and I’ll provide them.)

    1. 4

      I suspect the answer is that it’s more complex than one might think at first :-).

      This interview with Butler Lampson is quite long, but if you’re interested in capability based computing, it’s probably worth reading in its entirety. It the interview, Lampson describes why capability based computing is exciting, and why so many great researchers worked on capability based systems in the early days (Jim Gray, Charles Simonyi, and a number of other well known folks). The conclusion that Lampson and others came to is that, as an engineering trade off, building an OS around capabilities isn’t worth it. It’s not a fundamentally terrible idea, but no one has figured out how to do it simply enough that it’s worth all of the extra complexity.

      And then the question is, are capabilities a good tool for organizing the system? And I think our conclusion there was they work, we made it work, and they have some advantages because you get uniformity. By contrast, the way in which security works in UNIX, for example, they have these file descriptors, those are capabilities, but they also have a bunch of more ad hoc things. And on the whole, I think that works better. Some of them are more complicated, but you can tune some of the ad hoc things that need to have high performance better, specific requirements. I don’t know really how you would figure this out. You’d have to do some systematic experiments, and they would have to on a fairly large scale; and no one has ever attempted that kind of thing. Basically, I think our judgment was that there were easier ways to get to the same effect.

      1. 3

        FreeBSD has started adding sandboxing and capabilities to some things with Capsicum.

        1. 2

          I guess it depends how complex you assume I think it is. A step down from “entirely too complex” would still be “too complex”.

          Obvious question would be, have you tried a capability based system? How’d it go?

          1. 2

            OS X has been using its capabilities system for more and more things under the hood. It’s not yet universal because presenting a POSIX API atop it is really hard.

            Edit: spellchecko

            1. 1

              Could you please provide a reference for this?

              1. 1

                Mm. I know it because I’ve worked with Apple’s APIs and they keep breaking because stuff that looks innocuous actually now requires the appropriate permissions to be added to the app’s sandbox. I think some of it is documented in the details of each framework on http://developer.apple.com/, but I’m not aware that anyone outside Apple has centralized information about the change.